Citadel trojan attempts to grab your master key.

Share this story

Cyber criminals have started targeting the password managers that protect an individual's most sensitive credentials by using a keylogger to steal the master password in certain cases, according to research from data-protection company IBM Trusteer.

The research found that a configuration file, which attackers use to tailor the Citadel trojan for specific campaigns, had been modified to start up a keylogger when the user opened either Password Safe or KeePass, two open-source password managers. While malware has previously targeted the credentials stored in the password managers included in popular Web browsers, third-party password managers have typically not been targeted.

While the current impact of the attack is low, the implications of the attacker’s focus is that password managers will soon come under more widespread assault, Dana Tamir, director of enterprise security for IBM Trusteer, told Ars Technica.

“Once the malware captures this master key, then they can use that master key to exercise complete control over the machine and any of the user’s online accounts,” she said.

Cyber criminals have increasingly focused on stealing passwords from online repositories and services. Passwords are generally not considered an adequate security solution for important data or online services because easy-to-remember passwords are also easier to guess, reducing the security of the protected data.

Password managers boost the security of online accounts by allowing users to create a different and complex password for each of their accounts, additionally encrypting the information to prevent access. But the technology is not foolproof, as researchers found this summer when they published details of flaws in five different programs for storing passwords.

Yet, when implemented correctly, the software can allow individuals to securely store a different credential for every site and system they use, avoiding reusing keys.

It's no surprise, then, that attackers have started targeting that master key.

The Citadel configuration files found by the IBM researchers commanded the malware to begin keylogging whenever Password Safe or KeePass started running. The system also monitored for passwords to an authentication solution known as the neXus Personal Security Client. The master passwords, if captured by the program, were sent to a legitimate Web server that appeared to have been compromised by the attackers.

It was not clear whether the attack was part of a targeted campaign or just opportunistic attackers aiming to grab credentials from users of the password managers, IBM Trusteer’s Tamir said. Despite the attack, password managers are still better than just using a few passwords, or worse, a single password, she said.

“I think that password managers and authentication solutions are more critical than ever,” Tamir said. “But it is important to keep in mind that these solutions are not sufficient in and of themselves—they have to be accessed from a clean machine.”

Share this story

Robert Lemos
Robert Lemos is an award-winning freelance journalist, on assignment as IT security correspondent for Ars Technica. A former research engineer, he covers malware, hacking, cybercrime and enterprise security technology for a number of publications, including Ars Technica, eWEEK, TechTarget and MIT Technology Review. Twitter@roblemos